From 21bd2aeb08b376236b0a6f108a8bf9f56f05f5d4 Mon Sep 17 00:00:00 2001
From: Howard Ro <yro@google.com>
Date: Tue, 21 Aug 2018 23:59:46 -0700
Subject: [PATCH] Allow all app types to socket send to statsdw (statsd socket)

Also move statsd to /public/

Bug: 110538431
Test: manual testing
Change-Id: I58319e169eaab7d997ed3628c3c9709cf7bd0d4a
---
 private/file.te   |   5 ---
 private/stats.te  |  26 ++++++++++++
 private/statsd.te | 103 ----------------------------------------------
 public/app.te     |   3 ++
 public/file.te    |   2 +
 public/statsd.te  |  82 ++++++++++++++++++++++++++++++++++++
 6 files changed, 113 insertions(+), 108 deletions(-)
 create mode 100644 public/statsd.te

diff --git a/private/file.te b/private/file.te
index 58ee0def8..8d18a9084 100644
--- a/private/file.te
+++ b/private/file.te
@@ -1,11 +1,6 @@
 # /proc/config.gz
 type config_gz, fs_type, proc_type;
 
-# /data/misc/stats-data, /data/misc/stats-service
-type stats_data_file, file_type, data_file_type, core_data_file_type;
-
-type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
-
 # /data/misc/storaged
 type storaged_data_file, file_type, data_file_type, core_data_file_type;
 
diff --git a/private/stats.te b/private/stats.te
index be8cfbd25..4b29cf37f 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -23,3 +23,29 @@ allow stats stats_service:service_manager find;
 binder_call(stats, statsd)
 allow stats statsd:fifo_file write;
 
+# Only statsd can publish the binder service.
+add_service(statsd, stats_service)
+
+# Allow pipes from (and only from) stats.
+allow statsd stats:fd use;
+allow statsd stats:fifo_file write;
+
+# Allow statsd to call back to stats with status updates.
+binder_call(statsd, stats)
+
+###
+### neverallow rules
+###
+
+# Only system_server, system_app, traceur_app, and stats command can find the stats service.
+neverallow {
+  domain
+  -dumpstate
+  -priv_app
+  -shell
+  -stats
+  -statsd
+  -system_app
+  -system_server
+  -traceur_app
+} stats_service:service_manager find;
diff --git a/private/statsd.te b/private/statsd.te
index 834fb8b77..1e4c5b392 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -1,44 +1,8 @@
-type statsd, domain, mlstrustedsubject;
 typeattribute statsd coredomain;
 
 init_daemon_domain(statsd)
 
-type statsd_exec, exec_type, file_type;
-binder_use(statsd)
-
-# Allow statsd to scan through /proc/pid for all processes.
-r_dir_file(statsd, domain)
-
-# Allow executing files on system, such as running a shell or running:
-#   /system/bin/toolbox
-#   /system/bin/logcat
-#   /system/bin/dumpsys
-allow statsd devpts:chr_file { getattr ioctl read write };
-allow statsd shell_exec:file rx_file_perms;
-allow statsd system_file:file execute_no_trans;
-allow statsd toolbox_exec:file rx_file_perms;
-
-userdebug_or_eng(`
-  allow statsd su:fifo_file read;
-')
-
-# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
-allow statsd stats_data_file:dir create_dir_perms;
-allow statsd stats_data_file:file create_file_perms;
-
-# Allow statsd to make binder calls to any binder service.
-binder_call(statsd, appdomain)
-binder_call(statsd, healthd)
-binder_call(statsd, incidentd)
-userdebug_or_eng(`
-  binder_call(statsd, perfprofd)
-')
 binder_call(statsd, statscompanion_service)
-binder_call(statsd, system_server)
-
-# Allow logd access.
-read_logd(statsd)
-control_logd(statsd)
 
 # Allow to exec the perfetto cmdline client and pass it the trace config on
 # stdint through a pipe. It allows statsd to  capture traces and hand them
@@ -48,72 +12,5 @@ domain_auto_trans(statsd, perfetto_exec, perfetto)
 
 # Grant statsd with permissions to register the services.
 allow statsd {
-  app_api_service
-  incident_service
-  userdebug_or_eng(`
-    perfprofd_service
-  ')
   statscompanion_service
-  system_api_service
 }:service_manager find;
-
-# Grant statsd to access health hal to access battery metrics.
-allow statsd hal_health_hwservice:hwservice_manager find;
-
-# Only statsd can publish the binder service.
-add_service(statsd, stats_service)
-
-# Allow pipes from (and only from) stats.
-allow statsd stats:fd use;
-allow statsd stats:fifo_file write;
-
-# Allow statsd to send dump info to dumpstate
-allow statsd dumpstate:fd use;
-allow statsd dumpstate:fifo_file { getattr write };
-
-# Allow statsd to call back to stats with status updates.
-binder_call(statsd, stats)
-
-# Allow access to with hardware layer and process stats.
-allow statsd proc_uid_cputime_showstat:file { getattr open read };
-hal_client_domain(statsd, hal_health)
-hal_client_domain(statsd, hal_power)
-hal_client_domain(statsd, hal_thermal)
-
-# Allow 'adb shell cmd' to upload configs and download output.
-allow statsd adbd:fd use;
-allow statsd adbd:unix_stream_socket { getattr read write };
-allow statsd shell:fifo_file { getattr read };
-
-unix_socket_send(bluetooth, statsdw, statsd)
-unix_socket_send(bootstat, statsdw, statsd)
-unix_socket_send(lmkd, statsdw, statsd)
-unix_socket_send(platform_app, statsdw, statsd)
-unix_socket_send(radio, statsdw, statsd)
-unix_socket_send(statsd, statsdw, statsd)
-unix_socket_send(system_server, statsdw, statsd)
-
-###
-### neverallow rules
-###
-
-# Only system_server, system_app, traceur_app, and stats command can find the stats service.
-neverallow {
-  domain
-  -dumpstate
-  -priv_app
-  -shell
-  -stats
-  -statsd
-  -system_app
-  -system_server
-  -traceur_app
-} stats_service:service_manager find;
-
-# Only statsd and the other root services in limited circumstances.
-# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
-# Other services are prohibitted from accessing the file.
-neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
-
-# Limited access to the directory itself.
-neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
diff --git a/public/app.te b/public/app.te
index 3de24fbab..40a0a00ab 100644
--- a/public/app.te
+++ b/public/app.te
@@ -166,6 +166,9 @@ allow appdomain shell_data_file:file { write getattr };
 allow appdomain incidentd:fd use;
 allow appdomain incidentd:fifo_file { write getattr };
 
+# Allow apps to send information to statsd socket.
+unix_socket_send(appdomain, statsdw, statsd)
+
 # Write profiles /data/misc/profiles
 allow appdomain user_profile_data_file:dir { search write add_name };
 allow appdomain user_profile_data_file:file create_file_perms;
diff --git a/public/file.te b/public/file.te
index 4b0dc2dcb..b70c4e2fa 100644
--- a/public/file.te
+++ b/public/file.te
@@ -267,6 +267,7 @@ type nfc_data_file, file_type, data_file_type, core_data_file_type;
 type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 type recovery_data_file, file_type, data_file_type, core_data_file_type;
 type shared_relro_file, file_type, data_file_type, core_data_file_type;
+type stats_data_file, file_type, data_file_type, core_data_file_type;
 type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
 type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
 type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
@@ -345,6 +346,7 @@ type racoon_socket, file_type, coredomain_socket;
 type recovery_socket, file_type, coredomain_socket;
 type rild_socket, file_type;
 type rild_debug_socket, file_type;
+type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
 type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
 type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
 type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
diff --git a/public/statsd.te b/public/statsd.te
new file mode 100644
index 000000000..c108805cb
--- /dev/null
+++ b/public/statsd.te
@@ -0,0 +1,82 @@
+type statsd, domain, mlstrustedsubject;
+
+type statsd_exec, exec_type, file_type;
+binder_use(statsd)
+
+# Allow statsd to scan through /proc/pid for all processes.
+r_dir_file(statsd, domain)
+
+# Allow executing files on system, such as running a shell or running:
+#   /system/bin/toolbox
+#   /system/bin/logcat
+#   /system/bin/dumpsys
+allow statsd devpts:chr_file { getattr ioctl read write };
+allow statsd shell_exec:file rx_file_perms;
+allow statsd system_file:file execute_no_trans;
+allow statsd toolbox_exec:file rx_file_perms;
+
+userdebug_or_eng(`
+  allow statsd su:fifo_file read;
+')
+
+# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
+allow statsd stats_data_file:dir create_dir_perms;
+allow statsd stats_data_file:file create_file_perms;
+
+# Allow statsd to make binder calls to any binder service.
+binder_call(statsd, appdomain)
+binder_call(statsd, healthd)
+binder_call(statsd, incidentd)
+userdebug_or_eng(`
+  binder_call(statsd, perfprofd)
+')
+binder_call(statsd, system_server)
+
+# Allow logd access.
+read_logd(statsd)
+control_logd(statsd)
+
+# Grant statsd with permissions to register the services.
+allow statsd {
+  app_api_service
+  incident_service
+  userdebug_or_eng(`
+    perfprofd_service
+  ')
+  system_api_service
+}:service_manager find;
+
+# Grant statsd to access health hal to access battery metrics.
+allow statsd hal_health_hwservice:hwservice_manager find;
+
+# Allow statsd to send dump info to dumpstate
+allow statsd dumpstate:fd use;
+allow statsd dumpstate:fifo_file { getattr write };
+
+# Allow access to with hardware layer and process stats.
+allow statsd proc_uid_cputime_showstat:file { getattr open read };
+hal_client_domain(statsd, hal_health)
+hal_client_domain(statsd, hal_power)
+hal_client_domain(statsd, hal_thermal)
+
+# Allow 'adb shell cmd' to upload configs and download output.
+allow statsd adbd:fd use;
+allow statsd adbd:unix_stream_socket { getattr read write };
+allow statsd shell:fifo_file { getattr read };
+
+unix_socket_send(bootstat, statsdw, statsd)
+unix_socket_send(lmkd, statsdw, statsd)
+unix_socket_send(statsd, statsdw, statsd)
+unix_socket_send(system_server, statsdw, statsd)
+
+###
+### neverallow rules
+###
+
+# Only statsd and the other root services in limited circumstances.
+# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
+# Other services are prohibitted from accessing the file.
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
+
+# Limited access to the directory itself.
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
-- 
GitLab